FOCA is a tool that analyzes documents and files to extract metadata, hidden information, and lost data. It can analyze files from websites like Whitehouse.gov. FOCA 2.5 includes new features like network discovery algorithms to recursively map internal networks by resolving IPs, checking DNS records, and using search engines to discover more URLs and domains. It also includes DNS cache snooping and a reporting module to organize extracted information.

1. FOCA 2.5 Chema Alonso José Palazón «PALAKO»

2. What our FOCA is not

3. What our FOCA is not

4. What’s a FOCA?

5. FOCA on Linux?

6. Previously on FOCA….

7. FOCA 0.X

8. FOCA: File types supported Office documents: Open Office documents. MS Office documents. PDF Documents. XMP. EPS Documents. Graphic documents. EXIFF. XMP. Adobe Indesign, SVG, SVGZ ( NEW )

9. What can be found?

10. Pictures with GPS info..

11. Demo: Single files

12. Sample: mda.mil Total: 1075 files

13. Sample: FBI.gov Total: 4841 files

14. FOCA 1 v. RC3 Fingerprinting Organizations with Collected Archives Search for documents in Google and Bing Automatic file downloading Capable of extracting Metadata, hidden info and lost data Cluster information Analyzes the info to fingerprint the network.

15. DNS Prediction

16. Google Sets Prediction

17. Sample: Printer info found in odf files returned by Google

18. Demo: Whitehouse.gov

19. Yes, we can!

20. FOCA 2.0

21. What’s new in FOCA 2.5? Network Discovery Recursive algorithm Information Gathering Sw Recognition DNS Cache Snooping Reporting Tool

22. FOCA 2.5: Exalead

23. PTR Scannig

24. Bing IP

25. FOCA 2.5 & Shodan

26. Network Discovery Algorithm http://apple1.sub.domain.com/~chema/dir/fil.doc http -> Web server GET Banner HTTP domain.com is a domain Search NS, MX, SPF records for domain.com sub.domain.com is a subdomain Search NS, MX, SPF records for sub.domain.com Try all the non verified servers on all new domains server01.domain.com server01.sub.domain.com Apple1.sub.domain.com is a hostname Try DNS Prediction (apple1) on all domains Try Google Sets(apple1) on all domains

27. Network Discovery Algorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 11) Resolve IP Address 12) Get HTTP Banner of http://IP 13) Use Bing Ip:IP to find all domains sharing it 14) Repeat for every new domain 15) Connect to the internal NS (1 or all) 16) Perform a PTR Scan searching for internal servers 17) For every new IP discovered try Bing IP recursively 18) ~chema -> chema is probably a user

28. Network Discovery Algorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 19) / , /~chema/ and /~chema/dir/ are paths 20) Try directory listing in all the paths 21) Search for PUT, DELETE, TRACE methods in every path 22) Fingerprint software from 404 error messages 23) Fingerprint software from application error messages 24) Try common names on all domains (dictionary) 25) Try Zone Transfer on all NS 26) Search for any URL indexed by web engines related to the hostname 27) Download the file 28) Extract the metadata, hidden info and lost data 29) Sort all this information and present it nicely 30) For every new IP/URL start over again

30. FOCA 2.5 URL Analysis

31. FOCA 2.5 URL Analysis

32. Demo: Whitehouse.gov

33. Yes, we can!

34. DNS Cache Snooping

35. FOCA Reporting Module

36. FOCA Reporting Module

37. Demo: DNS Cache Snooping

38. FOCA Online http://www.informatica64.com/FOCA

39. IIS MetaShield Protector http://www.metashieldprotector.com

40. Cleaning documents OOMetaExtractor http://www.codeplex.org/oometaextractor

41. Questions at Q&A room 113 Speakers: Chema Alonso [email_address] Blog: http://elladodelmal.blogspot.com http://twitter.com/chemaalonso José Palazón «PALAKO» [email_address] Working on FOCA: Chema Alonso Alejandro Martín Francisco Oca Manuel Fernández «The Sur» Daniel Romero Enrique Rando Pedro Laguna Special Thanks to: John Matherly [Shodan]

42. … and Tomorrow here at 19:00

43. Demo: US Army